[U-Boot] nxp: HABv4 secure boot on iMX7 NAND broken

Igor Opaniuk igor.opaniuk at gmail.com
Tue Jul 30 14:26:51 UTC 2019 

Hi Bryan,

On Tue, Jul 30, 2019 at 5:08 PM Bryan O'Donoghue
<bryan.odonoghue at linaro.org> wrote:
>
>
>
> On 30/07/2019 15:02, Bryan O'Donoghue wrote:
> >
> >
> > On 30/07/2019 14:56, Igor Opaniuk wrote:
> >>> Does that happen ?
> >> Yes, it does.
> >
> > And the board is closed ?

Actually it's not. In U-boot stored to RAM via recovery:

Colibri iMX7 # hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

>
> Obviously yes it is.
>
> You have to sign the binary differently for serial download versus boot
> from eMMC - I guess this holds for NAND too.
>
> https://boundarydevices.com/high-assurance-boot-hab-dummies/
>
> I have a serial download version of u-boot and an eMMC version for
> signed boards for that reason i.e. you can't use the same image.
>
> HAB for dummies explains it.
>
> ---
> bod

Anyway, let me go through this article one more time,
and I'll get back to you.

Thanks for suggestions!

-- 
Best regards - Freundliche GrĂ¼sse - Meilleures salutations

Igor Opaniuk

mailto: igor.opaniuk at gmail.com
skype: igor.opanyuk
+380 (93) 836 40 67
http://ua.linkedin.com/in/iopaniuk

More information about the U-Boot mailing list